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Preface 
About Qualys 


Preface 


Welcome to Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS in Red Hat 
OpenShift. This user guide describes how to install cloud agents on hosts in your network. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com. 


Contact Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/. 
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Get Started 


Thank you for your interest in Qualys Cloud Agent! 


= 


This document tells you all about installing Qualys Cloud Agent for Qualys Cloud Agent 
for Red Hat Enterprise Linux CoreOS in Red Hat OpenShift. We'll tell you about 
Requirements, Installation Steps, Proxy Configuration, and more. 


Qualys Cloud Agent Introduction 


Qualys Cloud Platform gives you everything you need to continuously secure all of your 
global IT assets. Now with Qualys Cloud Agent, there’s a revolutionary new way to help 
secure your network by installing lightweight cloud agents in minutes, on any host 
anywhere - server, virtual machine, laptop, desktop or cloud instance. 


Get informed quickly on Qualys Cloud Agent (CA). 


Video Tutorials 
Cloud Agent Platform Introduction (2m 10s) 
Getting Started Tutorial (4m 58s) 


Cloud Agent Platform Availability for CoreOS 


For the most current list of supported cloud agents with versions and modules on the 
Qualys Cloud Platform, please refer to the following article: Cloud Agent Platform 
Availability Matrix 


A few things to consider... 


Cloud Agent requirements 


- Your hosts must be able to reach your Qualys Cloud Platform (or the Qualys Private 
Cloud Platform) over HTTPS port 443. Log into the Qualys Cloud Platform and go to Help > 
About to see the URL your hosts need to access. 


- To install Cloud Agent for Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS in 
Red Hat OpenShift, you must have root privileges, non-root with Sudo root delegation, or 
non-root with sufficient privileges (VM license only). Proxy configuration is supported. 
Learn more 


- The Cloud Agent requires minimum 512 MB RAM if you are using VM/PC. 


- Minimum 200 MB of disk space is required. 


Get Started 
A few things to consider... 


What are the installation steps? 

Our Cloud Agent UI walks you through the steps to install agents on your hosts. You might 
want to configure proxy settings for our agent to communicate with our cloud platform. 
Need help with troubleshooting? 

We recommend you inspect the agent's log file located here: 


/var/log/qualys/qualys-cloud-agent.log 
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Tips and best practices 


Installation 


It's easy to install Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS in Red Hat 
OpenShift. We'll walk you through the steps quickly. 


Qualys provides installers and packages for each supported operating system that are 
coded for each Qualys platform. It's not possible to connect an agent coded for one 
platform to another platform. Organizations can use their existing software distribution 
tools (SCCM, BigFix, rpm, Casper, etc.) to install the agent into target machines. 


The platform supports detection of duplicate agent IDs and automatically re-provisions 
the duplicate agents. 


Customers using software distribution tools must package the Qualys-provided installer 
along with the specific Activation Key and Customer ID strings to install properly. Do not 
package up the artifacts that are installed by the agent into your own installer as the 
installation environment is keyed for that specific machine when the agent is installed; 
doing so will create duplicates that the platform may not be able to easily de-duplicate. 


Keep in mind - Depending on your environment, you might need to take steps to support 
communications between agent hosts on your network and the Qualys Cloud Platform. 


Tips and best practices 
How to download Agent Installer 
Installation steps 


Proxy Configuration 


Tips and best practices 


What is an activation key? You'll need an agent activation key to install agents. This 
provides a way to group agents and bind them to your subscription with Qualys Cloud 
Platform. You can create different keys for various business functions and users. 


Benefits of adding asset tags to an activation key Tags assigned to your activation key will 
be automatically assigned to agent hosts. This helps you manage your agents and report 
on agent hosts. 


Running the agent installer You'll need to run the installer from an elevated command 
prompt, or use a systems management tool using elevated privileges. 


Be sure to activate agents to provision agents for modules - Vulnerability Management 
(VM). Activating an agent for a module consumes an agent license. You can set up auto 
activation by defining modules for activation keys, or do it manually in the Cloud Agent 
UI. 


What happens if I skip activation? Agents will sync inventory information only to the 
cloud platform (IP address, OS, DNS and NetBIOS names, MAC address), host assessments 
will not be performed. 


Installation 
How to download Agent Installer 


How many agents can l install? You can install any number of agents but can activate an 
agent only if you have a license. The Agents tab in the Cloud Agent UI tells you about your 
installed agents. 


Check to be sure agents are connected Once installed agents connect to the Qualys Cloud 
Platform and provision themselves. You can see agent status on the Agents tab - this is 
updated continuously. If your agent doesn't have a status, it has not successfully 
connected to the cloud platform and you need to troubleshoot. 


How to download Agent Installer 


Here's how to download an installer from the Qualys Cloud Platform and get the 
associated Activation ID and Subscription ID. 


Log into the Qualys Cloud Platform and select CA for the Cloud Agent module. 
© Qualys Cloud Platform 


Modules v 


SECURITY OPERATIONS (1) 


reat Hunting, Incident 
nse 


COMPLIANCE (3) 


PC Policy Compliance 
Define and monitor IT security standards aligned 
SCA with regulations s : 


PCI 


ce with the PCI Data Security 


File Integrity Monitoring || 
FIM Monitor changes on file systems 


SENSOR MANAGEMENT (3) 


Cloud Agent 
CA Stay updated with network security by deploying 
agents on your hosts 


Network Passive Sensor 
PS Ga ne visibility of all assets 


Qualys Gateway Servic 
QGS Appliance provi y and cache for Cloud 
Agents and othe S 
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Choose an activation key (create one if needed) and select Install Agent from the Quick 
Actions menu. 


& Agent Management Agents Activation Keys Configuration Profiles 


Status Active + Enabled Yes + 


New Key 1 acti 
L1 Activation Key Last Used Agents Created Expires Modt 
My Activation Key - unlimited a never 0 July 19, 2016 never 
786128dc-06eb-49a1-856d-2e380fc3d6a4 5 5 
| Install Agent esse" 


few Key Info 
Edit Key 
Delete Key 
Disable Key 


Click Install instructions for the target host. 


What happens? The Agent installer 
is downloaded to your local system, 
and in the UI you'll see the 


WP coo va aum —“—_ | associated Activation key ID and 
Q xs Powers BMAX iniatinsiusions) | Subscription ID - copy and paste this 
v fe x64 FreeBSD [Install instructions to a safe place, you Il need it to 
complete the installation. 
soðin ey x88 Solaris “Install instructions 
son D SPARC Solaris Install instructions 
A a ppc64le CentOS Install instructions 
e EE x64 Core Os Install instructions 


Looking for more details ? 
Click here for OS version list supported by the Cloud Agent 


cs a 
ES 


Installation steps 


What you'll need 


To install cloud agents, you'll need to download the Cloud Agent installer and get the 
associated ActivationID and CustomerID. Just log into the Qualys Cloud Platform, go to the 
Cloud Agent (CA) module, and follow the installation steps for Qualys Cloud Agent for Red 
Hat Enterprise Linux CoreOS in Red Hat OpenShift (.tar.xz) to get everything you need. 


Prerequisites: 
- OpenShift Cluster with 4.6 version 
- Cluster configured with Registry for Master and Worker Nodes 


Installation 
Installation steps 


Steps to install Agents 


1. Download the Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS in Red Hat 
OpenShift Container image tar file from Qualys Cloud Platform. 


2. Upload the downloaded Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS in Red 
Hat OpenShift Container image tar into Master node where we can access OpenShift 
cluster via OpenShift nodes login. Untar package file (for example: package name in the 
commands) file and load on master or worker node using following commands: 


# tar -xJf «package name.tar.xz» 
# sudo podman load -i «package name.tar> 
3. Verify that the following files are present: 
- Ixa-openshift-crio-ds.yml 
- version-info 
- image-id 
- qualys-cloud-agent-md5 
- qualys-cloud-agent-sha 
- qualys-cloud-agent.tar 
4. Get the agent binary in your worker or master node. 
5. Pull the image using OpenShift nodes. 
6. Configure parameters in YML: 
- image: path of container image (localhost path or shared repository path) 


- activation-id: Activation Id for the Qualys Cloud Agent for Red Hat Enterprise Linux 
CoreOS in Red Hat OpenShift, auto-generated based on your subscription. 


- customer-id: Qualys subscription's customerld, auto-generated based on your 
subscription. 


- provider-name: The value for this parameter can be AWS, AZURE, GCP, IBM, ALIBABA, 
ORACLE, NONE or AUTO. If you provide 'NONE' value, it won't check for provider name. If 
you provide 'AUTO' value, it will auto check the provider. 


- log-level: Configuration to set the logging level for Qualys Cloud Agent for Red Hat 
Enterprise Linux CoreOS in Red Hat OpenShift, accepts 0 to 5. Default is 3. 


Sample YML Configurations: 
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containers: 
- name: qualys-cloud-agent-container 
image: /qualys/linux-cloud-agent:3.5.0-20 
umagePullPolicy: IfNotPresent 
resources: 
Limits: 
cpu: "0.5" # Default CPU usage limit on each node for cloud-agent. 
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud 
env: 
- name: qualys_https_ proxy 
value: <proxy FQDN or Ip address>:<port#> 
args: 


[ " 


qualys.com/CloudAgent" 
] 


volumeMounts : 

- mountPath: /host_root 
name: root-host-path 
mountPath: /usr/local/qualys/cloud-agent/data 
name: data-host-path 
mountPath: /etc/qualys/cloud-agent 
name: config-host-path 
mountPath: /var/log/qualys 


Note: If cpu set to more than 0.5 or 0.7 using YML file, agent won't be installed on all 
nodes in the cluster. 


7. Run the command to deploy the Qualys Cloud Agent for Red Hat Enterprise Linux 
CoreOS in Red Hat OpenShift cluster. 


# oc apply -f lxa-openshift-crio-ds.yml 


8. Verify the container running under qualys name space using following command: 


Soc get pods -n qualys-agent 
NAME READY STATUS RESTARTS AGI 


Gl 


ualys-cloud-agent-4lcnb 1/1 Running 0 42m 
ualys-cloud-agent-4nxjr 0/1 Running 0 42m 
ualys-cloud-agent-bdhh9 1/1 Running 0 42m 
ualys-cloud-agent-grem7 0/1 Running 0 42m 
ualys-cloud-agent-hw959 0/1 RunningO 42m 


q 
q 
q 
q 
q 
q 


ualys-cloud-agent-krxjc 0/1 Running 0 42m 


When the instance is started it will activate the Qualys Cloud Agent which will provision 
itself and continue functioning as expected. 


What happens next? 


We'll start syncing asset data to the cloud! 
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Installation 
Installation steps 


Once installed an agent connects to the Qualys Cloud Platform and provisions itself. We 

would expect you to see your first asset discovery results within a few minutes. The first 
assessment scan in the cloud takes some time, after that scans complete as soon as new 
host metadata is uploaded to the cloud platform. 


What happens next? 
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Proxy Configuration 


You can configure proxy in YML file. Following snippet shows sample proxy configuration. 


cpu: "0.5" # Default CPU usage Limit on each node for cloud-agent. 
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud 
env: 


- name: qualys https proxy 
value: Hef 


Following parameters are optional while configuring proxy. 
Proxy: IPv4 address or FQDN of the proxy server 


ProxyCertFile: Proxy certificate file path. ProxyCertFile is applicable only if Proxy has valid 
certificate file. If this option is not provided, then Qualys Cloud Agent for Red Hat 
Enterprise Linux CoreOS in Red Hat OpenShift would try to connect to the server with 
given https Proxy settings only. If only ProxyCertFile is provided without Proxy then Qualys 
Cloud Agent for Red Hat Enterprise Linux CoreOS in Red Hat OpenShift would simply 
ignore the ProxyCertFile and it would try to connect to the server without any https proxy 
settings. 
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On Demand Scan 


You can run an On Demand Scan to instruct the agent to immediately scan as long as the 
agent is not already scanning. The On Demand Scan runs independently of the interval 
scan that you configure in the Configuration Profile and will reset the scan interval on the 
local agent after a successful scan. 


Prerequisite: The agent must be activated for that specific Qualys application for which 
you are running the On Demand Scan. When activated, the Agent downloads manifests 
for that application from the Qualys platform; if the manifest is not present for that type, 
On Demand Scan will not execute. 


Use the cloudagentctl.sh script to run the OnDemand Scan. You'll find this script at 
/usr/local/qualys/cloud-agent/bin/. Run following command on Master node: 


># oc -n qualys-agent exec -it «container id» -- bash 
/usr/local/qualys/cloud-agent/bin/cloudagentctl.sh action-demand 
type-inv cputhrottle={0-1000} 


Where action and type are mandatory parameters. 
action is “demand”, meaning an On Demand Scan. 


type is the application for which you want to run the scan (the agent must be activated for 
the respective application first). 


cputhrottle is 1-1000. Default is 0, which is no throttling. 


For example, to initiate an On Demand Scan for the Vulnerability Management 
application (VM) with no throttling: 


># oc -n qualys-agent exec -it «container id» -- bash 
/usr/local/qualys/cloud-agent/bin/cloudagentctl.sh action-demand 
action-demand type-vm 

The script calls the agent to run asynchronously in the background and returns to the 
shell prompt. The script prints a Controlld that you can track in the log file. The Controlld 
is the timestamp of the script initiation, e.g. On-Demand-Request Controlld: 
20200427151136.0 


The On Demand Scan logs to the same log file as the agent at /var/log/qualys/qualys- 
cloud-agent.log. You can find the logging for the scan initiation and completion in the log 
file. 


2020-04-27 15:11:36.474 [qualys-cloud- 
agent] [9710]: [Information]: [140048573286144] :OnDemandRequest Params: 
ControlID-20200427151136.0, Action-OnDemand, Type-VM, CPUThrottle=0" 


If the agent is currently performing an interval scan for the same type, the On Demand 
Scan will delay waiting for the currently running scan to finish. The script will print a log 
line with this status. 


2020-04-27 15:11:36.474 [qualys-cloud- 
agent] [9710]: [Information]:[140048573286144]:Interval Event of same type 
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On Demand Scan 


is in progress with state INTERVAL EVENT SCAN 

2020-04-27 15:11:36.474 [qualys-cloud- 

agent] [9710]: [Information]: [140048573286144]:OnDemand request for 
Control ID : 20200427151136.0 will be delayed. 


If the script errors due to the manifest file not being present, check whether the Cloud 
Agent is activated for that particular application. If agent is activated but you still get 
manifest related errors while running the On Demand Scan command, the agent may not 
have downloaded the manifest for that application. You can manually force a manifest 
download by deactivating then reactivating the agent for that application from the Cloud 
Agent user interface module. If that doesn't correct the issue, contact Qualys Support. 


Once an On Demand Scan is completed, the results are logged in the log file located at 
/var/log/qualys/qualys-cloud-agent.log. 
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Best Practices 


Here are some best practices for managing your cloud agents. Refer to the Cloud Agent 
Technical Whitepaper for additional documentation and best practices. 


Upgrading Cloud Agent 
1. Login in to the OpenShift via Master node using OpenShift Container login. 


2. Upload new image in OpenShift cluster and update the image name in the yml file: Set 
to localhost/qualys/linux-cloud-agent:3.5.0-xx: OR Set to localhost/qualys/linux-cloud- 
agent: latest 


3. Run the command to delete and recreate the Qualys Cloud Agent on CoreOS: 
f oc delete -f lxa-openshift-crio-ds.yml 


# oc apply -f lxa-openshift-crio-ds.yml 


Note: Auto upgrade is not supported and manual intervention is required. 


Uninstalling Cloud Agent 


Uninstalling the agent from the Cloud Agent module UI or API 


When you uninstall a cloud agent using the Cloud Agent module user interface or Cloud 
Agent API, the agent and license is removed from the Qualys subscription. We'll also purge 
the associated agent host record and scan results for any licensed modules, i.e. 
Vulnerability Management, Policy Compliance. 


Note: Self revoke is not supported. If revoke request sent from UI or API, agent will be 
halted but won't uninstall itself, and manual intervention is required. 


Uninstalling the agent from Container 

1. Login in to the OpenShift via Master node using OpenShift Container login. 

2. Run the following command to remove the Qualys Cloud Agent 

oc delete -f lxa-openshift-crio-ds.yml 

3. Remove Qualys Cloud Agent Config, Data, and Log Directories manually on all masters 
and workers 


sudo rm -rf /usr/local/qualys/cloud-agent/data 
sudo rm -rf /etc/qualys/cloud-agent 
sudo rm -rf /var/log/qualys 
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Proxy Configuration Encryption Utility 


You can use the Proxy Configuration Encryption utility to encrypt the user name and/or 
password (as needed) that you provide to the proxy environment variable 
qualys https proxy or https proxy. 


F 


The string-util utility is included in the Cloud Agent installation package. Install or extract 
the Cloud Agent installation package to get the utility. 
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The string-util utility is to be used once on any system where it's installed to encrypt the 
values that will be used on all systems running Cloud Agent that have the same 
credentials. It is not required to run the utility on each system running Cloud Agent. 


Provide the encrypted user name and password to your proxy environment variable in 
YML file. 


qualys https proxy=https://[<#encrypted username>:<#encrypted password» 
]«host»[:«port»] 


The # delimiter indicates to the Cloud Agent that the user name and password are 
encrypted. Not including the # indicates that the user name and password are in plain text 
format. 


For example (only encrypting password): 

qualys https proxy-https://sys account: #SRpSHQP582al+gaJwHOm3g==@proxy.m 
yco.com:8080 

For example (encrypting username and password): 


qualys https proxy=https://#uWpsHMSY 932b2+fdcH723d==: #SRpSHQP582al+gaJwH 
Om3g==@proxy.myco.com: 8080 
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